Fix some bugs
parent
5c08e8c44b
commit
48cd65e6e2
|
@ -42,6 +42,9 @@ module CryptCheck
|
|||
'id_GostR3411_94_with_GostR3410_94_cc' => %i(ghost),
|
||||
'id_GostR3411_94_with_GostR3410_2001_cc' => %i(ghost)
|
||||
}
|
||||
WEAK_SIGN = {
|
||||
critical: %i(mdc2 md2 md4 md5 sha sha1)
|
||||
}
|
||||
|
||||
%i(md2 mdc2 md4 md5 ripemd160 sha sha1 sha2 rsa dss ecc ghost).each do |name|
|
||||
class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
|
||||
|
|
|
@ -7,7 +7,7 @@ module CryptCheck
|
|||
@server = server
|
||||
@checks = checks
|
||||
@states = calculate_states
|
||||
@grade = calculate_grade
|
||||
@grade = calculate_grade
|
||||
end
|
||||
|
||||
def display
|
||||
|
@ -68,22 +68,17 @@ module CryptCheck
|
|||
'A+'
|
||||
end
|
||||
|
||||
CHECKS = [
|
||||
CHECKS = ([
|
||||
# Certificates
|
||||
[:weak_sign, Proc.new { |s|
|
||||
Cert::WEAK_SIGN[:critical]
|
||||
}, :critical],
|
||||
|
||||
# Keys
|
||||
[:dss_sign, Proc.new { |s| s.dss_sig? }, :critical],
|
||||
[:weak_key, Proc.new { |s| Status.problem s.key_status } ],
|
||||
[:weak_key, Proc.new { |s| Status.problem s.keys.collect &:status }],
|
||||
|
||||
# DH
|
||||
[:weak_dh, Proc.new { |s| Status.problem s.dh_status } ],
|
||||
|
||||
# Certificates
|
||||
[:md2_sign, Proc.new { |s| s.md2_sig? }, :critical],
|
||||
[:mdc2_sign, Proc.new { |s| s.mdc2_sig? }, :critical],
|
||||
[:md4_sign, Proc.new { |s| s.md4_sig? }, :critical],
|
||||
[:md5_sign, Proc.new { |s| s.md5_sig? }, :critical],
|
||||
[:sha_sign, Proc.new { |s| s.sha_sig? }, :critical],
|
||||
|
||||
[:sha1_sign, Proc.new { |s| s.sha1_sig? }, :warning],
|
||||
[:weak_dh, Proc.new { |s| Status.problem s.dh.collect &:status }],
|
||||
|
||||
# Protocols
|
||||
[:ssl, Proc.new { |s| s.ssl? }, :critical],
|
||||
|
@ -111,14 +106,18 @@ module CryptCheck
|
|||
|
||||
[:aead, Proc.new { |s| s.aead? }, :good],
|
||||
#[:aead_only, Proc.new { |s| s.aead_only? }, :best],
|
||||
]
|
||||
] + Cert::WEAK_SIGN.collect do |level, hashes|
|
||||
hashes.collect do |hash|
|
||||
["#{hash}_sig?".to_sym, Proc.new { |s| s.certs.any? &"#{hash}?".to_sym }, level ]
|
||||
end
|
||||
end.flatten(1)).freeze
|
||||
|
||||
def checks
|
||||
checks = CHECKS
|
||||
unless @server.fallback_scsv? == nil
|
||||
checks += [
|
||||
[:no_fallback_scsv, Proc.new { |s| not s.fallback_scsv? }, :error],
|
||||
[:fallback_scsv, Proc.new { |s| s.fallback_scsv? }, :good]
|
||||
[:no_fallback_scsv, Proc.new { |s| not s.fallback_scsv? }, :error],
|
||||
[:fallback_scsv, Proc.new { |s| s.fallback_scsv? }, :good]
|
||||
]
|
||||
end
|
||||
checks
|
||||
|
|
|
@ -28,6 +28,8 @@ module CryptCheck
|
|||
class ConnectionError < ::StandardError
|
||||
end
|
||||
|
||||
attr_reader :certs, :keys, :dh
|
||||
|
||||
def initialize(hostname, family, ip, port)
|
||||
@hostname, @family, @ip, @port = hostname, family, ip, port
|
||||
@dh = []
|
||||
|
@ -48,6 +50,7 @@ module CryptCheck
|
|||
check_fallback_scsv
|
||||
|
||||
verify_certs
|
||||
exit
|
||||
end
|
||||
|
||||
def supported_method?(method)
|
||||
|
@ -105,7 +108,7 @@ module CryptCheck
|
|||
ab = ssl_client(method, [a, b]).cipher.first
|
||||
ba = ssl_client(method, [b, a]).cipher.first
|
||||
if ab != ba
|
||||
Logger.info { " #{method} : " + 'client preference'.colorize(:warning) }
|
||||
Logger.info { " #{method} : " + 'client preference'.colorize(:warning) }
|
||||
:client
|
||||
else
|
||||
sort = -> (a, b) do
|
||||
|
@ -151,6 +154,7 @@ module CryptCheck
|
|||
def fetch_supported_curves
|
||||
Logger.info { '' }
|
||||
Logger.info { 'Supported elliptic curves' }
|
||||
@supported_curves = []
|
||||
|
||||
ecdsa_curve = @ecdsa_certs.keys.first
|
||||
if ecdsa_curve
|
||||
|
@ -286,7 +290,7 @@ module CryptCheck
|
|||
Cipher::TYPES.each do |type, _|
|
||||
class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
|
||||
def #{type}?
|
||||
supported_ciphers.any? { |c| c.#{type}? }
|
||||
@supported_ciphers.any? { |c| c.#{type}? }
|
||||
end
|
||||
RUBY_EVAL
|
||||
end
|
||||
|
@ -451,6 +455,8 @@ module CryptCheck
|
|||
# Then, collect "ecdsa" connections
|
||||
# { curve => connection, ... }
|
||||
certs += @ecdsa_certs.values
|
||||
# For anonymous cipher, there is no certificate at all
|
||||
certs = certs.reject { |c| c.peer_cert.nil? }
|
||||
# Then, fetch cert
|
||||
certs = certs.collect { |c| Cert.new c }
|
||||
# Then, filter cert to keep uniq fingerprint
|
||||
|
|
Loading…
Reference in New Issue